Rethinking Water Industry OT Cybersecurity Strategy
12 - May 2025
RESOURCES
Recent warnings by the Environment Protection Authority (EPA) and the National Security Agency (NSA) about the vulnerability of water and wastewater systems to cyber-attack, come as no surprise to industry observers.
It is not hyperbole to state that with over 70% of surveyed water systems failing to meet EPA cyber standards, the industry is in crises mode. With the increase of incidence and risk of state-sponsored attacks on critical infrastructure, incremental improvements to cyber prevention and detection tools fall short.
This article will explore a different approach, based on Process-Oriented OT Cyber Security for the water industry. It’s not a panacea for all threats, but when the industry is facing unprecedented threat, I believe it should be a core component of mitigating the risk of cyber-attack.
Let’s start with how we got to this point.
For decades, Joe Weiss has been warning that critical infrastructure, including water systems, is highly vulnerable to cyber-attacks. Oftentimes a lone voice, Weiss spoke about outdated control systems that were never designed with cybersecurity in mind and the growing connectivity of these systems to the internet. Unfortunately, too few people (read government authorities and budget owners) paid attention.
The counter argument to Joe Weiss’ stark warnings was that the likelihood of a cyber attack on a water facility was so low that it was close to non-existent. The town of Muleshoe, Texas with a population of about 5,000 did not consider itself a high-risk target. But in January of 2024, hackers caused the city’s water system to overflow, forcing a shutdown and temporary use of manual operations. Overnight, what was previously non-existent became reality.
One important point for consideration is the consequential nature of a successful cyber-breach on a water system. If the operations of a private manufacturing company are disrupted by a cyber-attack, the costs are likely covered by the owner in terms of lost production and downtime. But if a water system is compromised and drinking water is contaminated or wastewater spillage causes environmental damage, then the cost is paid by society.
Simply doing the same things differently isn’t a sustainable strategy. New approaches are urgently needed.
The industry is now in catchup mode.
The problem is that the obvious solutions (e.g., training programs to raise awareness among operational staff, improved IT security protocols such as network segmentation and intrusion detection tools) are too little, too late. That’s not even taking into consideration the complexity of upgrading cyber capabilities within legacy systems that are well-known to state sponsored attackers who are several steps ahead.
The reality is that new and previously undetected threat vectors, so-called zero-day attacks are increasing at a more rapid pace than the tools designed to detect them. Because of the sheer quantity of potential attack vectors, each Intrusion Detection System only provides partial detection coverage, and the average water facility cannot afford multiple, partially overlapping detection tools. Furthermore, once a potential attack has been identified, the IDS is not designed to provide support.
In summary, denial is not a strategy and catching up is not feasible.
There is a different approach to Cyber OT: assume that a cyberattack is inevitable and plan accordingly. This does not mean that traditional prevention and detection tools are not necessary components of a cyber defense strategy. They are. They are just not enough.
When the inevitability of an attack becomes the starting point of a CISO’s strategy, it changes how the organization trains its employees, plans and then responds to an attack.
This where “Process Oriented?” can play a significant role.
This approach is defined as a cybersecurity category that focuses on identifying any potential cyber-oriented disruption or manipulation of site’s industrial processes. In other words, the core assets.
How does this differ from current OT Cyber Security?
The traditional Network Security in OT is designed to protect communication channels, data, and systems from unauthorized access, breaches, and cyberattacks. It involves securing the network infrastructure, such as firewalls, intrusion detection systems, and encryption, to prevent data theft, network intrusions, and malware infections.
In contrast, Process-Oriented OT Cyber Security is centered on the actual industrial processes and physical operations within the OT environment. It ensures that the processes controlled by OT systems (in our case water and wastewater systems) remain secure, reliable, and resilient.
The key difference is that while network security protects the data and communication systems, process-oriented security focuses on the operational integrity and continuity of the physical processes themselves.
At the core of a Process-Oriented OT cybersecurity approach is visibility across all levels of the Industrial Control System (ICS), referred to as Levels 0 to 4 in the Purdue Model. This visibility is crucial because threats often target the lower levels of the system—particularly the physical processes (Level 0)—where traditional network security tools may not detect them. For example, in false data injection attacks, data from the SCADA system can be manipulated, creating the illusion of normal operations while the physical process is under attack.
Process-Oriented OT Cyber Security requires an independent monitoring layer uses of out-of-band hardware sensors at the process level (Level 0). These are unidirectional, meaning they cannot be controlled or manipulated by a compromised ICS. Anomalous sensor behavior could be indicative of cyberattack or system failure.
This approach is more than just detection – it’s also about decision making and containment after an attack has occurred.
Let me explain how.
First, once an attack is detected, real-time data from the process level becomes the most reliable source of information. In compromised systems, higher-level data might be unreliable or even maliciously altered. By having direct visibility into the physical processes, operators can make more informed decisions about whether to continue operations, shut down systems, or isolate certain parts of the infrastructure.
Second, during containment, the ability to distinguish between compromised and uncompromised processes is crucial. With Process-Oriented OT cybersecurity, operators can quickly identify which processes are still functioning normally and which have been affected. This allows for targeted containment, minimizing disruption to the rest of the system. Instead of blanket shutdowns or guesswork, this approach ensures that the most critical parts of the operation can continue while affected areas are dealt with.
Finally, the focus on training and simulation within this approach prepares OT and IT teams for the complexities of real-world cyberattacks. Process-Oriented cybersecurity emphasizes the need for pre-established response protocols that account for both operational and cyber considerations. This ensures that when an attack occurs, teams are ready to act quickly and cohesively, reducing the impact on critical processes and enhancing the chances of a successful recovery.
By integrating detection, decision-making, containment, and training into a unified framework, Process-Oriented OT cybersecurity offers a comprehensive approach to protecting industrial systems from increasingly sophisticated threats.
The water industry can no longer rely on traditional cybersecurity measures. The combination of outdated infrastructure and increasing state-sponsored threats makes it essential to rethink how security is implemented. Process-Oriented OT cybersecurity provides a new framework that starts with the assumption that an attack will happen and focuses on securing the core processes that keep water systems operational.
There is no silver bullet when it comes to Cyber OT for water and wastewater systems. But the addition of Process-Oriented can provide support when its most critical to the health and safety of its employees and the communities they serve.
